By Michal Brychta
Many field devices are used to provide functional safety in process control and factory automation. This requires not only the instrument but also the connection between it and the control system to fulfill functional safety requirements. This blog explores key considerations relating to the design of field instruments for functional safety (IEC61508) in 4-20 mA and 10BASE-T1L implementations. To catch up on the previous blog find it here.
4-20 mA Loop Basics
Traditional 4 to 20 mA loops have been used to connect field instruments to controllers for over 50 years. The principle of the 4 to 20 mA loop is very simple – 4 mA current represents 0% of the measured value while 20 mA current represents 100%, and any analog current value in between corresponds to the relevant measurement value. The simplest cases to diagnose are 0 mA current (caused by a disconnected cable), and a current exceeding 20 mA (possibly indicating a short circuit).
4-20mA Loop with Functional Safety
However, when functional safety requirements are introduced, things become more complicated. This is mainly due to the use of analog signaling, where any value of current between 4 and 20 mA can be interpreted as by a receiver. Figure 1 shows a typical signal chain of a field instrument connected to a control system using a 4 to 20 mA loop. The microcontroller sets the digital-to-analog converter (DAC) to an appropriate value, and the output driver (with output transistor and sense resistor in the feedback loop) sets the desired output current.
Figure 1. 4-20 mA Field Device, with safety features highlighted in yellow
The question arises as to what happens if the data written to the DAC becomes corrupted or if the sense resistor is partially damaged (for example, by a massive electromagnetic disturbance), thereby changing its value. The output current would be invalid, but since it remains within the valid 4-20 mA range, the receiver would still interpret it as being different to the value intended by the controller. For this reason, a high degree of diagnostics is typically included in the 4 to 20mA loop output, like, for example, a second sense resistor, an additional analog to digital converter (ADC) (with an extra data path back to the controller), which also checks if the actual output current corresponds to the intended value. Similar measures must also be taken on the receiver side, which typically includes a second independent sense resistor and a second ADC. Furthermore, the controller performs comparison checks to ensure that the input current is measured and interpreted correctly.
Therefore, the entire 4 to 20mA analog communication channel must include diagnostic features appropriate to the required safety integrity level (SIL) and be designed, assessed, and certified per the relevant functional safety standard, starting with IEC61508 and other application-specific standards. The field instrument can deliberately lower the current below 4 mA or increase it above 20 mA to indicate that there is something wrong and must do so if any failure is detected inside the instrument. Diagnostics are defined (e.g., NAMUR NE-43) such that currents ranging from 3.6 - 3.8 mA and 20.5 - 21mA carry diagnostic data, while values below 3.6mA and above 21mA indicate a failure. However, while current readings with these values can alert the controller that something is wrong, they don’t provide any details about the cause of the problem.
10BASE-T1L Implementation with Functional Safety
Figure 2 shows a similar field instrument with a 10BASE-T1L / APL (Advanced Physical Layer) interface. Here, the communication link between the instrument and controller is digital, allowing the use of industrial Ethernet protocols like Profinet, Ethernet/IP, or HART-IP to communicate control data.
Figure 2. 10BASE-T1L / APL connected Field Device
From a functional safety perspective, there is no change in the diagnostics and other safety-related features in the instrument itself - the sensor and relevant analog front-end and the firmware interpreting the signal from the sensor. However, Ethernet communication via Ethernet is now considered a “black channel” which must provide a sufficient level of reliability - 10BASE-T1L specifies the bit error rate (BER) must be less than 10-9 T. In addition, there is no ambiguity about the validity of data because CRC is implemented in each Ethernet frame at the data link layer, and other checks are performed at higher protocol layers for safety-related data (e.g., PROFIsafe).
In conclusion, the 10BASE-T1L/APL connectivity implementation allows larger volumes of data to be communicated at significantly higher speeds., while the “black channel” communications link ensures the functional safety aspect is better defined and much easier to implement.
For further interesting insights into the topic of functional safety in industrial automation, check out the following blogs from Analog Devices’ functional safety expert, Tom Meany:
https://ez.analog.com/ez-blogs/b/engineerzone-spotlight/posts/functional-safety-of-4-20ma-networks
https://ez.analog.com/ez-blogs/b/engineerzone-spotlight/posts/functional-safety-and-networking